A blog which tries to demystify computer security, point out the half-truths and misinformation which floats around about this subject and hopefully reduce the hype created by semi-informed people. It also has some useful tips from time to time.

First time here? I hope that you find something interesting and useful. Check out the most popular pages or the categories I most frequently post in:

Wednesday, March 04, 2009

In the last couple of months I’ve been helping out with the webhoneypot project. From the Google code website:

DShield.org is offering this honeypot for users to capture automated web application exploits. It is a very simple "semi interactive" honeypot implemented in PHP.

The core idea is the following:

you install it on a webserver and configure it such that all requests are routed to a single file (index.php). This can be done with something like mod_rewrite or mod_alias for Apache and similar methods for other webservers (nginx for example has a built-in rewrite statement)

URL’s of “vulnerable looking” web applications are served up to spiders.

When a URL is accessed, it is matched against a set of regular expressions and, depending on which regex matches the longest part from the string, a static file is served up. The request is captured and sent to SANS in the background

An automatic update mechanism for the templates is in the works, however it is not working yet. The documentation is also a little out of date, but we are working hard on refreshing it. In the future we will probably include some more emulation (the idea was taken from the Glastopf project) to elicit responses from automated RFI/LFI scanning bots. Also look forward to a tutorial on how to run it on routers running OpenWrt.